NCES/IES Restricted-Use data Licenses impose significant restrictions on who can have a License, who can access the data, and where and how the data can be housed. One such restriction includes the use of secure data room where the Restricted-Use data is stored and used by Licensed researchers.
Due to the widespread demand for NCES/IES Restricted-Use data from our student and faculty researchers at HGSE combined with the significant resource overhead required of license applicants (e.g., NCES/IES Restricted-Use data can only be stored and used on an pre-approved stand-alone, non-networked desktop computer stored within a pre-approved, access controlled space), HGSE has allocated and exclusively dedicated Room 307 in Gutman Library for use as a shared, NCES/IES Restricted-Use Secure Data Room (SDR). Gutman 307 has been pre-approved by NCES/IES as a centralized location at HGSE where approved NCES/IES Restricted-Use data users may store and work with their data.
NOTE: While those researchers looking to apply for an NCES/IES Restricted-Use data license (as users or as a PPO) are not required to use the SDR as their designated secure data room, an alternative space would need to be suggested by the researcher and reviewed/approved (timeframe averages anywhere between 1-4 months) as feasible and secure by HGSE's Director of Security Operations (DSO) and HGSE's Operations Department. While some HGSE faculty members may have a preferred office space available they'd like converted into a secure data room exclusively for their/their students' use, often, no availability exists, and as such, all are encouraged to utilize the SDR for their NCES/IES Restricted-Use data needs.
The SDR is available for use by Licensed users (see how to gain access in the following section) between the hours of 9 a.m. - 5 p.m., however library hours change seasonally (regular, intersession, summer, and reference hours). For the most up-to-date regular and seasonal hours, please visit: https://www.gse.harvard.edu/library/hours.
Hardware, Software, & File Storage
Hardware: Seven (7), non-networked Dell OptiPlex 7050 MT desktop computers equipped with the following:
- Microsoft Windows 10 operating system
- Processor: Intel® Core™ i7-7700
- Memory: 32 GB (4x8GB) 2400MHz DDR4
- Adobe Acrobat Pro 2017
- Microsoft Office Pro Plus 2016
- R for Windows
- SAS University Edition
- SPSS Statistics
- Stat Transfer
- While users are permitted to store their statistical analysis files locally on the SDR's desktop computers, given the inherrent risks accompanying any user computer or device for failure due to any number of reasons, users are strongly encouraged to manually backup their permitted files using an encrypted thumb drive or external hard drive as the recovery of lost user files due to a system's failure will be unlikely (for device recommendations, please see HGSE's Recommend Encryption Tools). Due to NCES/IES regulations, no backups of the Restricted-Use data are permitted and the local hard drives of the computers in the SDR are not backed up by HGSE IT.
Apply for a New NCES/IES Restricted-Use License in the SDR
Please note, you must have a direct affiliation with HGSE as a faculty, student, or staff member to apply for a NCES/IES Restricted-Use License at HGSE. Similarly, applicants must read the NCES/IES Restricted-Use Data Procedures Manual. This manual outlines in full all required procedures and restrictions on Restricted-Use data and Licenses.
- Obtain IRB Approval: Researchers must have an approved Committee on the Use of Human Subjects (CUHS) (Longwood Medical Area)/Institutional Review Board (IRB) (University Area) protocol, be added to an existing one, or submit a new protocol for the project you plan use the NCES/IES Restricted-Use data for via Harvard's Electronic Submission Tracking and Reporting (ESTR) platform.
Application Personnel: Applicants must designate the following three individuals on their application to qualify for and receive a Restricted-Use data License from NCES/IES, as these persons will sign the required and applicable documents in Step #3 for the License:
- Principle Project Officer (PPO): A PPO is responsible for the day-to-day operations involving the requested data. Academic applicants must have the rank of post-doctoral fellow or above to serve as the PPO (applicants unable to meet this standard must secure an HGSE faculty member willing to serve as PPO). Visiting professors or scholars cannot be a PPO, and applicants in research laboratories or analytic consulting firms must have the rank of research associate or above to serve as a PPO.
- Senior Official (SO): Each application must have the support of a SO who has the legal authority to sign the License (contract) on behalf of the institution to bind them to the terms of the License. At HGSE, applicants are asked to submit their proposed research to University-OSP within the Agreements-DUA Application, as an appropriate SO will will be assigned by University-OSP via that Application.
- Systems Security Officer (SSO): Each application must have a SSO to oversee the security of the data. At HGSE, applicants will list HGSE's Director of Security Operations (DSO) as the SSO on their Restricted-Use data License application: Sarah Pruski, Director of Security Operations; Harvard Graduate School of Education, Information Technology, 6 Appian Way, Room 345, Cambridge, MA 02138; Phone: 617-384-7859; Email: firstname.lastname@example.org
Formal Request & Application: Step #3 includes both an online component, as well as a physical paper application component. The former includes the requirement for the PPO to submit a Formal Request for the Restricted-Use License to IES. An applicant may designate up to seven users who will access the Restricted-Use data on their License, though the PPO, SSO (Sarah Pruski), and a support staff member of the ITSC/Infrastructure Technologies group (Beau Fujita) must be counted as three of these seven persons. Once IES receives the Formal Request online, the PPO must then submit the following three physical documents:
- A signed IES License Document (View IES Instructions)
Executed Affidavit(s) of Nondisclosure for all intended users on the License (again and at a minimum, an affadavit is required from the PPO, SSO (Sarah Pruski), and a support staff member of the ITSC/Infrastructure Technologies group (Beau Fujita). Please email the SSO and support staff member directly to request and collect their executed affadavits) (View IES Instructions) - Each affidavit must contain the following statement within the upper-right box labeled "NCES Database or File Containing Individually Identifiable Information": All NCES/IES Data. This statement clears each user on the License to view current or future NCES/IES Restricted-Use datasets on their PPO's License within the approved secure data room and forgo the execution of new affidavits for each user. Do not sign on the signature line until in the presence of a notary. Doing so in advance will nullify the affidavit, and you will be required to re-complete a new document before signing in front of the notary. Harvard University provides notary services to Harvard community members at select offices. Public notary services are also available through commercial businesses in the area. Please note the hours, required evidence of identity, and any applicable fees for notarization at each respective location:
- Harvard Office of the General Counsel
- Harvard University Employee Credit Union
- The UPS Store
- Bank Notaries: Most banks have a notary public on hand at all times. If you use a certain bank regularly, contact your bank or stop by to inquire about notary services, when they are available and how much they cost. Some banks will notarize documents free of charge if you have a bank account at that specific institution.
- Courthouse Notaries: You can always get something notarized at the courthouse during business hours. Many courthouse clerks do double duty as notaries, but you can call ahead to find out which office to head to in order to get your document notarized, as well as what type of costs you should expect for the service. Generally, the county clerk’s office should be able to assist you with notary needs.
- A signed Security Plan Form (View IES Instructions) - For applicants utilizing the SDR, applicants may obtain a pre-filled Security Plan Form from HGSE's SSO/DSO, Sarah Pruski. Applicants wishing to use a space other than the pre-approved secure data room in Gutman Library must first consult with HGSE's DSO by contacting the IT Service Center in order to confirm the space meets the minimum NCES/IES requirements and the applicant has procured a dedicated, stand-alone and non-networked desktop computer for Restricted-Use data.
- Certificates of completion from all intended users on the License (including HGSE's SSO/DSO (Sarah Pruski), and a support staff member of the ITSC/Infrastructure Technologies group (Beau Fujita) for the NCES/IES Restricted-Use Data License Training. (Please note that this will be an annual requirement of your intended users in order to be in compliance with NCES/IES policies.)
- Duplicate & Submit: To complete the application, securely mail (tracking and/or certification strongly recommended) the signed IES License Document, the notarized affidavit(s) of nondisclosure for all users, the signed Security Plan Form, and training certificates to: IES Data Security Office; Department of Education/IES/NCES, 550 12th Street, SW, Room 4060, Washington, DC 20202; Phone: 202-245-7674. Prior to mailing your application, please make a photo/digital copy of the completed application package.
- If the application is approved, the PPO will receive the following information. Once approved, the applicant must notify HGSE's DSO who will send a request to Operations (email@example.com) for the approved users' physical access to the SDR. Similarly, once approved, applicants must contact Beau Fujita via the IT Service Center in order to receive login credentials to the stand-alone desktop computers in the SDR.
Amending a Current License in the SDR
After your Restricted-Use License application is approved, you will have the option of making amendments to your License. You are also required to submit amendments in order to keep IES informed of any modifications in project staff or security procedures throughout the License and data loan period. For example, adding new users to the License or changing the location of the secure data room/project office must be approved by IES via the amendment process. You will also be required to submit a Close-out License request when your License expires or you are finished using the data in order to officially terminate your contract.
All License amendments must be processed through the Electronic Application System. To log onto the Electronic Application System to amend your License, use the link you received when you first applied for the License. If you do not have this link, go to the system login page and use your License number and the PPO’s email address to generate an email with a link to your License. If you have any problems logging into the system, please contact IESData.Security@ed.gov.
NOTE: The system can only process one amendment type at a time, and any pending amendment has to be approved by IES before another amendment can be submitted.
Adding/Deleting License Users
To add a new user to your project staff, the PPO must notify the IES Data Security Office by submitting an amendment request through the Electronic Application System. You will be asked to provide the name, job title, and contact information of the new staff member. A signed, notarized Affidavit of Nondisclosure for the new user must be mailed to the IES Data Security Office. Please note that the affidavit must contain the following statement within the upper-right box labeled "(NCES Database or File Containing Individually Identifiable Information*)": "All NCES/IES Data". This clears the new user on the License to view any current or future NCES/IES Restricted-Use datasets within the approved secure data room and forgo the execution of new affidavits for each user.
The new user is only authorized to access the subject data when the PPO receives an electronic approval notification from the IES Data Security Office. Please keep a copy of this notification as well as a copy of the new affidavit associated with your project in your on-site License file.
Once approved, the PPO or new user must notify HGSE's DSO who will send a request to Operations (firstname.lastname@example.org) for the newly approved users' physical access to the SDR. Similarly, once approved, the PPO or new user must contact Beau Fujita at the IT Service Center in order to receive login credentials to the stand-alone desktop computers in the SDR.
Similarly, when a user on your project staff leaves, the PPO must notify the IES Data Security Office by submitting an amendment through the Electronic Application System. IES Data Security staff will send you an electronic confirmation. Please keep this confirmation in your on-site License file. The PPO must also notify HGSE's DSO as soon as possible following receipt of the IES electronic confirmation so that physical and technical access to the SDR may be discontinued for the terminated user.
Requesting New Datasets
The PPO may request access to another database in addition to what was agreed upon in the original License. All new data received by the PPO are subject to all of the terms and conditions agreed to in the License and Security Plan Form. Use the Electronic Application System to submit an amendment request for additional data.
The IES Data Security Office will review the amendment request for additional data. After the amendment is submitted and the request for additional data is approved, the database will be sent to the PPO. Please keep a copy of the electronic approval notification in your on-site License file.
Modification of Secure Project Office
The PPO must notify the IES Data Security Office if there are any changes to the agreed upon data security arrangements as outlined in the pre-filled Security Plan Form for the SDR. For non-SDR-related NCES/IES secure project offices, one example may be if the secure project office location needs to change. In either case, the PPO must notify IES by submitting a modify Security Plan amendment via the Electronic Application System.
After submitting the amendment request online, the PPO must send a signed, revised Security Plan Form to the IES Data Security Office. (Note: If the project office is the SDR, HGSE's DSO will provide the PPO with the modified Security Plan Form for submission). Once received, IES will review the new paperwork and approve the request, or notify the PPO if any changes must be made. Please keep a copy of the electronic approval notification in the on-site License file. The PPO must receive electronic confirmation from the IES Data Security Office that approves this amendment prior to implementing any of the proposed changes outlined in the new Security Plan Form.
Extend a Restricted-Use Data License
If more time is needed to complete your research using the restricted-use data, the PPO can request that the License period be extended. To extend the License period, the PPO must notify the IES Data Security Office by submitting an amendment for a License extension via the Electronic Application System. When requesting a License extension, you will be ask to confirm that all License information is accurate and up-to-date. You also might be asked to submit a new Security Plan Form or License document if IES does not have the most recent version of these documents on file for your license.
The request for extension will be reviewed, and if approved, an electronic approval notification of the extension will be sent to the PPO. Please keep a copy of this notification in your on-site License file.
Close-Out a Restricted-Use Data License
If your project is complete, your License is set to expire, or you are leaving the employment of your institution, you will need to close-out your License with NCES/IES and notify HGSE's DSO as soon as possible so that physical and technical access to the SDR may be discontinued. You will need to submit a Close-out request online and mail all Restricted-Use data and all copies of Restricted-Use data using a tracked shipment (FedEx or certified U.S. mail), to:
IES Data Security Office
Department of Education/IES/NCES
550 12th Street, SW, Room 4060
Washington, DC 20202
Additionally, you will need to fill out and sign the Close-out Certification Form and include it with your shipment. Once IES receives the data and your Close-out Certification Form, you will receive a "close-out approval" email for your records. Lastly, you will be responsible for purging all copies or sub-sets of the subject data from any computer system used in your research project. After you have closed your License, please remember that:
- Any reports or other pre-publication documents that use or contain IES restricted-use data need to be reviewed by the IES Data Security Office prior to their dissemination outside the licensed research project staff.
- IES retains the right to conduct a close-out inspection of your license site to ensure that proper close-out procedures were followed.
For SDR-specific questions, please contact HGSE's Director of Security Operations (DSO) by emailing the IT Service Center. Otherwise, please schedule a security consultation with DSO to help determine your specific needs for an NCES/IES Restricted-Use data License.